Our blogs Conversations around digital security

EMV can eliminate fraud, not just shift it

You always see us say on this blog that EMV chip technology is more secure than magnetic stripe, and prevents payment fraud and use of counterfeit cards. Well we don’t just say it – the stats confirm it. Since the UK has implemented EMV, fraud has dropped steadily every year, and many other countries have had similar experiences.

Canada is now close to the end of its own EMV migration, and I’d been eagerly waiting to hear about its impact on fraud. Last month at Cardware 2012: Payment Insights, I got what I wished for: Visa Canada presented on the state of fraud in Canada.

Though the presentation isn’t available to the public just yet, I can tell you what I heard. In Canada, EMV is most certainly helping to decrease counterfeit, lost or stolen, and non-receipt fraud. In 2010, counterfeit fraud made up 37% of total fraud, lost or stolen made up 10%, while non-receipt made up 2%. In 2011, counterfeit fraud made up only 28% of total fraud, lost stolen made up 7%, while non-receipt was reduced to 1%.

These reductions are great news, but there is a problem: the fraud is shifting to card-not-present (CNP) fraud. The percentage of CNP fraud in 2010 was 48%, and grew to 59% in 2011. While EMV is working to stop fraud at the point-of-sale (POS), determined criminals are finding their way around it.

CNP is just what it sounds like: making a transaction where the card cannot be present, such as over the Internet. In these cases, the secure chip in the EMV card does no good if the merchant is only asking for a credit card number and expiration date. This is where EMV needs to be implemented differently to combat fraud.

Here’s how it works, and how 30 million Europeans are already conducting online transactions: You have a handheld reader that you insert your EMV card into every time you make an online transaction, and enter your PIN. The reader displays a one-time password (OTP) that you enter along with your payment details on the merchant checkout page. The password is passed back to the issuer for authentication using MasterCard SecureCode or Verified by Visa. This same method can be used to conduct online banking transactions.

Using the handheld reader and OTP confirms that you are who you say you are and have the card with you at the time of transaction. This prevents criminals from stealing and selling your credit card details to be used fraudulently in online transactions.

Countries in the early stages of EMV implementation, like the United States, need to consider CNP fraud and implementing such measures to combat it. We have to eliminate fraud, not shift it somewhere else.

Thanks for your comment, Martin. Many banks already offer handheld readers, especially in Europe, and it’s a price worth paying to them if it reduces fraud and increases customer loyalty as a result. In other markets where the handheld readers are not yet as readily distributed, the question that begs an answer is with whom the responsibility for security ultimately lies. If you’re choosing to bank with a certain brand or select one card merchant over another, additional security is surely an enticing factor. So, the readers will be paid for by the brands that want to retain and grow their customer base.